Photo by Jose Fontano on Unsplash

Node 8: Out with the old and in with the patchable

Danielle Adams

--

Starting tomorrow, Node 8 is officially unsupported. What does this mean for Node developers ? The circuit breakers for Node 8 access don’t immediately turn off — you can still download it and use it in your source code, but be mindful that the Node team will no longer be “maintaining” the runtime. This means that new features and bug fixes will no longer be applied to the version, and this includes security patches. It’s easy to assume that the biggest disadvantages of using an outdated language or runtime version are the hit to performance, but the dangerous risks are really in the security patches (or lack thereof).

Lucky for us, the Node team has a quick turnaround of version releases: every 6 months we get a new version, but that means versions are deprecated at the same rate too. The following is the most up-to-date calendar of the release schedule:

https://github.com/nodejs/release

With Node 8 reaching end-of-life, the supported versions of Node will be Node 10, 12, and 13 — until April when Node 14 is released and will replace Node 13 as the “current” version.

Generally changes are expected to live in a Current release for at least 2 weeks before being backported.

Node’s release plan explains that changes live in the current release (now Node 13) before being added to active releases (currently Node 10 and Node 12). These changes are made in minor and patch releases of their versions that follow semantic versioning release structure.

Once a release moves into Maintenance mode, only critical bugs, critical security fixes, documentation updates, and updates to ensure consistency and usability of the N-API across LTS releases

Up until today, this meant that Node 8 mostly receives only updates for critical bugs and security patches.

How quickly should I update?

Node is built with web servers in mind, and any use of the HTTPS module is highly reliant on OpenSSL’s support of TLS (Transport Layer Socket). Even libraries that are meant to secure other libraries have security vulnerabilities and reach their own…

--

--

Danielle Adams

Software Engineer at AWS. Open source developer, New Yorker, TBD.